While I was walking in the street, somebody carrying a laptop bag bumped into me, and the next day I found out that my storage unit was burglarized and some important items were stolen.

My storage unit door uses a magnetic-stripe card without a PIN, and I have several important items there. The items don't include money or anything that has intrinsic value itself, but they could be important to some parties.

I do realize my mistake, I shouldn't have trusted a storage unit with important items. I should have stored them in a deposit box in a bank.

To help you guys help me, I'll try to give as much information about the situation as possible:

I vividly remember his bag hitting my back pocket in an unnatural way.

I immediately checked my wallet after the bump, I made sure my ID, money, and the card were there.

The stolen items are of some importance to some people and they would hire PI.

I've already informed the police and filed a report.

The security cameras in the storage area hallway show a masked person opening the door normally, and there are no signs of forced entry.

My question is: Could that person have cloned my card when he bumped into me? Is it really as easy as touching the person's pocket? Does the process really take that small amount of time (1-2 seconds)?

Update: After investigation it turned out that the card has an RFID tag inside it, but the storage space operators didn't know about it. It was there just in case they wanted to change the locks to support RFID. The magnetic stripe and the RFID tag both contained the same data, so the thief copied the RFID tag and made a new magnetic card with the information.

Yesterday the police caught the thief after catching the person who hired him trying to sell the items to a blackmarket honeypot operated by the police. I identified the thief as the person who bumped into me and he later admitted.

Are you sure it's a magnetic strip, and not a RFID chip, that activates the lock?
–
apnortonJun 10 '13 at 22:52

1

This post seems incredible to me - the alleged thief had very specific information that could only have come from the poster - such as the location and interesting contents of his storage unit - and also technical savvy to capture and clone his card data. But at the same time was caught trying to pawn what he stole?
–
ddyerJun 13 '13 at 16:49

5

@ddyer the thief himself was not selling anything, he just stole the items for some other person who turned out to be an old acquaintance of mine. the thief just gave the items to someone else. when the police asked me to give a list of people who might be interested in the item, I gave them a list that included that person (the person who hired the thief). the police monitored the person and caught him selling the items. when they caught the person, he admitted he hired a thief and then the thief was caught.
–
Green FlyJun 13 '13 at 16:57

What kind of a security concept is this? Allowing entrance just with data off a magnetic stripe without an accompanying secret? Having the same data stored in plain and without cryptographic safeguards available through RFID? A "masked person" entering the hallway without anybody paying attention?
–
syneticon-djJun 26 '13 at 21:16

5 Answers
5

The magnetic field emanating from the magnetized regions in the epitaxial layer on the tape strip is not a directional light-like radiation that can be focused to form an image.

Magnetic tapes are read by a head that is in direct contact with them. Experience shows that in an audio tape deck, dirt on the head, or foreign particles like dust between the tape and the head will cause noticeable drop in high frequency response, as well as in overall volume. If a tape is crumpled so that it does not maintain smooth contact with the head, the degradation is clearly audible.

The magnetized regions are tiny magnetic dipoles. The field strength around a dipole weakens according to an inverse cube law which is an even faster diminishment than the inverse square law.

Furthermore, with increasing distance from the tape it is also less and less possible to resolve the individual magnetized regions, even if you can detect the magnetic field. Say that two adjacent magnetized regions representing 1 and 0 are spaced 0.5 mm apart, and the detector is 1cm away from the tape. The detector is 20 times farther from the regions than they are from each other, and is basically equally influenced by their magnetic fields; it cannot resolve that there are two regions, let alone their orientations and the values they represent.
The tape head resolves the 1's and 0's by proximity. As it passes over one magnetized region, it is much closer to that one than to the adjacent ones.

This is why high frequencies go first when an audio tape head is even slightly separated from the tape, and the sound instantly becomes muddy. High frequencies require the greatest resolution between adjacent magnetized grains.

thank you very much for your answer. in case you're interested, check the question for an update on the situation
–
Green FlyJun 13 '13 at 16:28

@GreenFly Interesting wrap up. I suspected as much, as did more than one commenter. This is a weakness of RFID tags, unfortunately. To guard against this kind of thing, you need a smarter tag with a small microprocessor on it which generates a different code every time based on sequence (tracked in the host system). My garage door opener implements such a scheme. It is built around an IC from Microchip (the PIC people), similar to this one.
–
KazJun 13 '13 at 18:46

It sounds unlikely. As @schroeder says - a mag stripe must be physically run through a reader. So if you must "swipe" the card to get access, you must swipe the card to copy it. While a pickpocket can take a card out of your pocket, if the card is still in your possession, it's unlikely that this interaction was part of the theft.

Keep in mind, however, that a single instant in time is not the only case of potential intrusion:

any time the card was left unattended for any time is an opportunity

any access to a master card is an opportunity - generally a storage unit will have a master key card - they are loaning you this space, if you default on your rent, or the police have a warrant, they will need to access your space.

Whichever card is used as a source, making a copy should leave no evidence on the card.

It maybe possible, from digital logs, to see what card was used for access at the time of the break-in. Was it your card?

Chances are, you and the storage space management need to think through who had access to the cards that control your space.

Addition:

Backing up a step to a bigger picture. In any theft, there's a question of due diligence. Any type of security is tricky, and needs a diligent design and careful implementation. This particular issue involves:

electronics - the mag strip key card

physical - the access to your door, and the facility at large, as well as video survellience,

personnel - anyone who was supposed to be watching the video, the people with access to the master card, and overall personnel management

The easiest hack is generally social engineering and working in the nexus of areas of security, where there are often human communication gaps.

The general solution is to work with the site as best you can to determine who might have had access. Accusing them of a lack of due diligence probably isn't going to get the job of finding your stuff done... but sooner or later, you or the PI may need to go there to figure out if you have a insider threat or a fairly clever outside attacker.

As the comment thread shows, there's numerous options out there that are bigger than the incident you mention that are just as (if not more) likely as someone managing to pick your pocket.

Another factor that makes this unlikely is that he would have had to have been targeted specifically by the thief. If he had said that he was a jeweler and lost a million dollars worth of gems, then it seems a little more likely that someone would stalk him and clone his access card, but why would a thief pick him out specifically to clone his access card to steal items that have no intrinsic value? It's more likely that the thief was previously a customer (or employee) of the storage company and knew how to create a fake card and getting bumped into was just a coincidence.
–
JohnnyJun 10 '13 at 19:37

3

I wasn't going to guess on the paranoia factor, sight unseen. You're right - in a high end environment, stalking an individual is more likely. But I don't know the details here.
–
bethlakshmiJun 10 '13 at 21:23

1

Another possibility: someone installed something like an ATM skimmer, capturing the card one of the times OP accessed the storage unit.
–
derobertJun 11 '13 at 21:57

1

With the caveat that an installation into the site means that either (a) the site's protections and survellience are lousy, (b) the threat is an insider, who probably doesn't need to go to such lengths if he can just copy the master key.
–
bethlakshmiJun 12 '13 at 14:59

thank you very much for your answer. in case you're interested, check the question for an update on the situation
–
Green FlyJun 13 '13 at 16:30

And yes, quarter of a second to clone RFID with the kit I have seen demonstrated.
–
Rory Alsop♦Jun 10 '13 at 17:08

6

And possible from a distance, with some demos I have seen.
–
schroeder♦Jun 10 '13 at 17:16

5

In the event that your access card does not use RFID, it's possible an attacker could have cloned something RFID-based in your pocket. He could use that to impersonate you somehow and either 1) get issued a new key or 2) get access to your key to clone it.
–
apsillersJun 10 '13 at 17:27

1

If you're concerned about having an RFID card surreptitiously duplicated, you can buy ordinary looking wallets that have a wire mesh layer build in to block RF signals.
–
Dan NeelyJun 10 '13 at 20:15

1

@DanNeely - Agree RFID-blocking wallets are great. However, you should try testing the RFID wallet out. While I have found some that work; I've also seen one that only somewhat damped the RFID signal. (E.g., I could open my work door with the card in a closed wallet from ~6 inches away; instead of the three feet with it outside of the wallet. My newer (more expensive) RFID wallet won't work with my work ID from any distance when I tested (on one particular scanner).
–
dr jimbobJun 10 '13 at 23:58

While it was my first thought too while reading the question, I'm afraid we have no evidence to support it based on OP's description of events, and more importantly - it does not answer OP's question: "Could that person have cloned my card when he bumped into me? Is it really as easy as touching the person's pocket? Does the process really take that small amount of time (1-2 seconds)?" Please expand on your answer, or convert it into a comment. Thanks!
–
TildalWaveJun 10 '13 at 20:09

thank you very much for your answer. in case you're interested, check the question for an update on the situation
–
Green FlyJun 13 '13 at 16:28

It defies the laws of physics to read standard magnetic stripe cards with a resolution of 210 bits per inch bits unless your reader playback head gap is closer to the media than the separation between bits. < 1/210" or 5 thou (which is much less than the thickness of your slacks and wallet.) 5 thou is several thicknesses of paper.

While it's true there are limitations due to the laws of physics, there are two false assumptions here: 1) theoretically, you can detect the variation in magnetic field at a greater distance than the separation between emanating source, because the field is not a cube, meaning you can still read the wave (putting it in lay terms for brevity), and 2) data written would have error detection and correction, basically redundant bits of information that can be used to calculate real data, given the discrepancy is not too big (depends on parity data size).
–
TildalWaveJun 10 '13 at 21:07

thank you very much for your answer. in case you're interested, check the question for an update on the situation
–
Green FlyJun 13 '13 at 16:42